[Snort-devel] Snort.org Blog: Snort 2.9.1 beta coming soon!

Russ Combs rcombs at ...402...
Mon Jun 13 16:01:59 EDT 2011


On Mon, Jun 13, 2011 at 3:03 PM, Martin Holste <mcholste at ...2499...> wrote:

> > No - that is still TBD.  Are you seeing much traffic like this or just
> > concerned about attacks?
>
> Both.  We see 206's sent with extreme regularity both in legitimate
> and illegitimate applications.
>

If you have any pcaps you can share I'll fold them into our test data.

>
> > No - logging is in the main thread.
>
> Ok, I get why stream reassembly is theoretically more efficient in a
> single thread because of CPU caching, etc., but I don't understand why
> packets still have to wait in line for a u2 entry to be written.  It
> seems like tossing output from the main thread into an async output
> thread would be pretty easy because you don't have to keep state and
> everything is one-way.  For alerting, the volume is not an issue, but
> as more analysts use packet tagging and now HTTP logging, the strain
> on that single main thread is going to cause packet drops for some if
> they're not extremely careful.  If I'm missing something, I'd be
> grateful for clarification.
>

Agreed.  I don't think this issue has reached a point where it is on our
roadmap yet, but all the extra logging could lead to reevaluating sooner
rather than later.  Thanks for your comments.

>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> EditLive Enterprise is the world's most technically advanced content
> >> authoring tool. Experience the power of Track Changes, Inline Image
> >> Editing and ensure content is compliant with Accessibility Checking.
> >> http://p.sf.net/sfu/ephox-dev2dev
> >> _______________________________________________
> >> Snort-devel mailing list
> >> Snort-devel at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110613/1f457e57/attachment.html>


More information about the Snort-devel mailing list